Notice

This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)
is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle
Policy
(http://support.microsoft.com/lifecycle/)
.

Authentication methods

NOTE: With some of the following authentication methods, you need to use drives that you have formatted with the NTFS file system because NTFS-formatted drives maintain the highest level of security.

IIS supports the five following Web authentication methods:

Anonymous authentication

IIS creates the IUSR_computername account (where computername is the name of the computer) to authenticate anonymous users when they request Web content. This account gives the user the right to log on locally. You can reset anonymous user access to use any valid Windows account.

NOTE: You can set up different anonymous accounts for different Web sites, virtual directories or physical directories, and files.

If the Windows 2000-based computer is a stand-alone server, the IUSR_computername account is on the local server. If the server is a domain controller, the IUSR_computername account is defined for the domain.

Basic authentication

Use basic authentication to restrict access to files on an NTFS-formatted Web server. With basic authentication, the user must enter credentials and access is based on the user ID.

To use basic authentication, grant each user the right to log on locally and to make administration easier, add them to a group that has access to the necessary files.

NOTE: Because user credentials are encoded with Base64 encoding but they are not encrypted when they are transmitted over the network, basic authentication is considered an insecure form of authentication.

Integrated Windows authentication

Integrated Windows authentication is more secure than basic authentication and it functions well in an Intranet environment where users have Windows domain accounts. In integrated Windows authentication, the browser attempts to use the current user's credentials from a domain logon and if this fails, the user is prompted to enter a user name and password. If you use integrated Windows authentication, the user's password is not transmitted to the server. If the user has logged on to the local computer as a domain user, the user does not have to authenticate again when the user accesses a network computer in that domain.

NOTE: You cannot use integrated Windows authentication through a proxy server.

Digest authentication

Digest authentication addresses many of the weaknesses of basic authentication. The password is not sent in clear text when you use digest authentication. In addition, you can use digest authentication through a proxy server. Digest authentication uses a challenge/response mechanism (which integrated Windows authentication uses) where the password is sent in an encrypted format. To use digest authentication:

The Windows 2000-based server must be in a domain.

You must install the IISSuba.dll file on the domain controller. This file is copied automatically during Windows 2000 Server Setup.

You must configure all user accounts with the Store password using reversible encryption account option enabled. Enabling this account option requires that the password be reset or re-entered.

NOTE: You have to use Microsoft Internet Explorer 5.0 or later as your Web browser if you are using digest authentication.

Client certificate mapping

Client certificate mapping is a method where a "mapping" is created between a certificate and a user account. In this model, a user presents a certificate and the system looks at the mapping to determine which user account should be logged on. You can map a certificate to a Windows user account in one of two ways:

By using Active Directory.

-or-

By using rules that are defined in IIS.

For additional information about how to map client certificates to user accounts, search for Client Certificate Mapping in the IIS documentation. If you have IIS installed, you can view the IIS documentation by typing the following URL in the Address bar of your Web browser where localhost is the name of the local host:

http://localhost/iisHelp/iis/misc/default.asp

For more information about how to use certificates, click the following article number to view the article in the Microsoft Knowledge Base:

How to configure IIS Web site authentication

Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.

The Internet Information Services snap-in starts.

In the console tree, click * computer name where computer name is the name of the computer.

Right-click one of the following items, and then click Properties:

To configure authentication for all Web content that is hosted on the IIS server, right-click * computer name.

To configure authentication for an individual Web site, right-click the Web site that you want.

To configure authentication for a virtual directory or a physical directory in a Web site, click the Web site that you want, and then right-click the directory that you want, such as _vti_pvt.

To configure authentication for an individual page or file in a Web site, click the Web site that you want, click the folder that contains the file or the page that you want, and then right-click the file or the page that you want.

On the Item Name Properties dialog box where Item Name is the name of the item that you selected, click the Directory Security tab.

NOTE: If the selected item is an individual file, click the File Security tab.

Under Anonymous access and authentication control, click Edit.

Click to select the Anonymous access check box to turn on anonymous access. To turn off anonymous access, click to clear this check box.

NOTE: If you turn off anonymous access, you need to configure some form of authenticated access.

To change the account that is used for anonymous access to this resource, click Edit next to Account used for anonymous access.

In the Anonymous User Account dialog box, click the user account that you want to use for anonymous access.

Click to clear the Allow IIS to control password check box if you want to use the Windows LogonUser() API for user authentication.

NOTE: By turning this password control option off, this forces IIS to use normal authentication and to log the account on locally. You should turn this option off if users experience difficulty accessing resources such as files or Microsoft Access databases on a network computer.

Click OK.

Under Authenticated access, click to select the Basic authentication (password is sent in clear text) check box to turn on basic authentication. When you receive the following message, click Yes:

The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS (or SSL) connections.

Are you sure you want to continue?

To select a domain with which to authenticate users that are using basic authentication, click Edit next to Select a default domain.

Type the domain that you want in the Domain Name box, and then click OK.

Note If you are concerned about security on your intranet because Basic Authentication transmits user name and password information in clear text, you can use Basic authentication together with Secure Sockets Layer (SSL).

Click to select the Digest authentication for Windows domain servers check box to use digest authentication. When you receive the following message, click Yes:

Digest authentication works with Windows 2000 domain accounts only and requires the accounts to store passwords as encrypted clear text.